Introduction
On January 31, 2005 the Office of Inspector General of the U.S. Department of Health and Human Services ("OIG") published "Supplemental Compliance Program Guidance for Hospitals." It is important for hospitals, and other providers and businesses in the health care industry, to review this supplemental guidance carefully because it sets forth "risk areas" of current concern to the OIG, as well as detailed insights into components that the OIG believes are necessary for a compliance program to be "effective."
From 1997-2003, the OIG published a series of compliance program guidance documents directed at different segments of the health care industry including: clinical laboratories; hospitals; home health agencies; third-party billing companies; the durable medical equipment, prosthetics, orthotics and supply industry; nursing facilities; physicians; and pharmaceutical manufacturers. The purpose of these guidance publications is to curtail the submission of erroneous claims, identify fraud and abuse risk areas, and to provide the industry with general guidelines for establishing effective programs for compliance with federal health care program rules and regulations.
The OIG and other Federal and State regulatory authorities likely will view entities that have "effective" compliance programs as having exerted good faith efforts to comply with governing laws which might, in turn, impact decisions to initiate enforcement actions, the willingness to entertain settlement discussions, as well as the extent of any penalties/remedies sought and the terms of any settlement agreements.
The recently published supplemental guidance for hospitals is the first "supplemental" guidance document issued by the OIG, and is an important document for all companies in the health care industry to review, especially the section that sets forth details regarding what the OIG looks for in determining whether a compliance program is truly "effective."
"Risk Areas" Of ConcernTo The OIG
The OIG identified the following areas as being particularly susceptible to fraud and abuse: the submission of claims; compliance with the Stark self-referral and Anti-Kickback statutes; compliance with the EMTALA and HIPAA laws; gainsharing arrangements; relationships with beneficiaries; and billing the Medicare and Medicaid programs in excess of usual charges.
The OIG identified the submission of claims as the single biggest risk area for hospitals. In this regard, the OIG noted that the following nine claims submission areas are well-understood in the industry: inaccurate or incorrect coding; upcoding; unbundling of services; billing for medically unnecessary services and noncovered services; billing for services not provided; use of outliers; duplicate billing; insufficient documentation; and false cost reports.
Further, the OIG identified four claims submission areas that it believes are "evolving" and/or "under-appreciated" within the industry: outpatient procedure coding; admissions and discharges; supplemental payment considerations; and use of information technology. Regarding outpatient procedure coding, the OIG stated that hospitals need to pay closer attention to coder training, the accuracy of coding and ensuring that claims are supported by the medical record. Moreover, patient status at the time of admissions and discharges influences the amount and method of calculating reimbursement that hospitals receive, and therefore, the OIG cautioned hospitals to keep up-to-date with and to follow current CMS rules governing this area.
In addition, the OIG set forth various examples of hospitals claiming supplemental payments improperly. Finally, the OIG acknowledged that hospitals increasingly rely on information technology, and as a result, recommended that hospitals thoroughly assess all new computer systems and software that impact on the billing process to ensure that they operate correctly, reflect current billing rules (to the extent applicable), and otherwise will not lead to billing errors.
Some of the other general risk areas identified by the OIG in the supplemental guidance are the following:
(1) Self-Referral and Anti-Kickback Statutes. In 8 of the 18 pages of its supplemental compliance guidance, the OIG discussed the Stark self-referral law and the Federal Anti-Kickback statute, and various related areas, such as joint ventures, compensation arrangements with physicians, relationships with other health care entities, recruitment and retention arrangements, discounts, medical staff credentialing, and malpractice insurance subsidies. One of the prevailing concerns is that transactions be at arms-length and that any payments reflect fair market value.
In particular, the OIG discussed exclusive arrangements between hospitals and hospital-based physicians or physician groups that require the physicians to perform reasonable administrative or limited clinical duties, directly related to the hospital-based professional services, at no charge or a reduced charge. The OIG stated that these scenarios would not violate the Federal Anti-Kickback statute, provided that the overall arrangements are consistent with fair-market value in an arm's length transaction.
(2) Gainsharing. Hospitals may not make payments to physicians which may influence physicians to reduce or limit services to patients. The OIG advised hospitals to be very careful when structuring arrangements with physicians involving incentive payments for achieving cost-savings.
(3) Substandard Care. The OIG expressed concern over the provision of unnecessary or substandard items or services, and it cautioned hospitals always to be vigilant in reviewing the quality of care provided to patients, consistent with applicable standards.
(4) EMTALA. The OIG stressed the importance to hospitals of satisfying their obligations under the EMTALA law regarding the assessment, stabilization and treatment of patients experiencing emergency medical conditions, as well as strict rules regarding the transfer of such patients.
(5) Relationships with Federal Health Care Beneficiaries. The OIG noted that hospitals should refrain from offering anything of value to federal program beneficiaries to influence their selection of a particular provider of services, and it highlighted the importance of waiving co-payments and deductibles only under certain well-defined circumstances.
(6) HIPAA. Hospitals must be careful to comply with all applicable provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) including confidentiality rules, as well as new security standards that take effect in April 2005.
(7) Billing in Excess of Usual Charges. The OIG warned against hospitals routinely charging Medicare or Medicaid "substantially in excess" of the amount they charge other insurers or patients, and the need to show "good cause" for any exceptions.
Compliance Program "Effectiveness"
Careful review of the OIG's supplemental guidance is critical to developing an effective compliance program at any hospital or other health care entity. The OIG indicated that its supplemental guidance "may serve as a benchmark or comparison against which [hospitals can] measure ongoing efforts and as a roadmap for updating or refining their compliance plans." The OIG emphasized the active involvement and promotion of compliance at the highest levels of the organization, including the hospital's senior management and board. There should be a culture of compliance that permeates throughout all levels of the organization.
An "effective" compliance program should have systems in place to prevent, detect and correct compliance issues and problems. The OIG stressed the need for each hospital to review, at least annually, the implementation of its compliance program to ensure that it is "effective." In this regard, it may be advisable for hospital boards to have this annual "effectiveness review" periodically conducted by, or reviewed/confirmed by, an outside firm. The OIG outlined various factors that should be considered during such an "effectiveness review," which are summarized below.
Key to the effective implementation of a compliance program is a compliance department or office guided by a well-qualified compliance officer who is a member of senior management. The compliance unit must have sufficient resources, training, authority and autonomy to carry out its purpose of ensuring that the hospital complies with all applicable Federal health care program requirements. Further, there should be an active compliance committee with representatives from various key departments and members of senior management.
The compliance officer should have direct access to senior management, legal counsel and the board, and a working relationship with billing, financial and clinical personnel. To further encourage the institutionalization of the compliance program, the compliance officer should make regular (and detailed) reports to the board and senior management regarding various aspects of the program, as well as the adequacy of resources available to carry out compliance activities.
The hospital should have systems and written policies in place to assist employees with addressing the compliance issues they confront while carrying out their employment obligations. Adherence to the compliance program should be included in each employee's job description, and should be assessed as part of each employee's annual review. Further, employees who fail to adhere to requirements of the compliance program or otherwise act improperly should be disciplined in accordance with disciplinary standards that are well-publicized and consistently followed.
The hospital should foster an environment that encourages open communication to ensure that problems, or potential problems, are detected as early as possible. In this regard, the hospital should consider establishing a means for the anonymous reporting of compliance problems, and should broadly publicize the availability of its reporting mechanism, as well as other compliance-related topics (on posters throughout the facility, in periodic employee newsletters, on the organization's intranet site, etc.). There should be a strong non-retaliation policy so that employees are not reluctant to report compliance issues.
Annual training and education of all hospital employees, contractors and the governing board are essential to an effective compliance program. Training programs should be conducted by competent and qualified trainers. The content of the training should be reviewed at least annually and modified to reflect changes in Federal health care laws, guidance issued by relevant agencies, and problems identified through the hospital's investigations and audits. The hospital should evaluate the effectiveness of the training by conducting post-training testing, and seeking employee feedback.
Hospitals should implement auditing and monitoring procedures and respond to any detected deficiencies. A "risk assessment tool" should be utilized to assess the accuracy of billing and overall compliance with applicable State and Federal rules and regulations. Different areas should be audited each year based on new areas of governmental focus, areas of potential exposure identified by managers, and the results of past audits and investigations. A majority of audits can be internal, but the OIG recommends that at least some audits be conducted by, or be reviewed/confirmed by, external auditing firms. Auditing should be used not only to identify billing issues and other areas of noncompliance, but also to assist in the identification of the underlying causes of errors and noncompliance.
When compliance problems are identified through the investigation of anonymous reports or the results of audits, they should be promptly corrected, as applicable, via policy or operational modifications, disciplinary actions, and the return of overpayments. The board should be fully briefed on all such matters, and should be involved in final approval of remedial actions.
Finally, as is the case with all aspects of an organization's involvement in government programs, all compliance program efforts described above should be very well-documented.
Conclusion
Hospitals and other companies in the healthcare industry would benefit from a careful review of the OIG's recently issued Supplemental Compliance Program Guidance. Most significantly, that document sets forth in detail factors that the OIG and other governmental authorities will focus on when assessing whether an organization's compliance program is "effective." Organizations with "effective" compliance programs likely will be viewed as good corporate citizens and will benefit in connection with governmental enforcement activities.
Published March 1, 2005.